iptables pcap log

ULOG is the netfilter/iptables logging daemon. It connects to the netlink device of the Linux kernel and reads messages from the netfilter that get queued with the iptables ULOG target. It can output to plain text, MySQL, Postgres and PCAP.

Install with:

apt-get install ulogd-pcap

Configure ulogd to output in PCAP format

vim /etc/ulogd.conf

Un-comment plugin="/usr/lib/ulogd/ulogd_PCAP.so", restart ulog. Then add a log rule to iptables before the final drop rule.